diff --git a/flake.lock b/flake.lock index 2960ad5..86d414f 100644 --- a/flake.lock +++ b/flake.lock @@ -4,52 +4,51 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1685599623, + "narHash": "sha256-Tob4CMOVHue0D3RzguDBCtUmX5ji2PsdbQDbIOIKvsc=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "93db05480c0c0f30382d3e80779e8386dcb4f9dd", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "home-manager", "type": "github" } }, "nixos-unstable": { "locked": { - "lastModified": 1681147610, - "narHash": "sha256-v4D4kTiQszI/3UXbeEYfpYtSdSD64DyAwB4rLK6i8mQ=", + "lastModified": 1685931219, + "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a9a909139f21c687d856fd3b19d7fb70439c7863", + "rev": "7409480d5c8584a1a83c422530419efe4afb0d19", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1681041438, - "narHash": "sha256-NmRGMklxBZ8Ol47CKMQxAU1F+v8ySpsHAAiC7ZL4vxY=", + "lastModified": 1686059680, + "narHash": "sha256-sp0WlCIeVczzB0G8f8iyRg3IYW7KG31mI66z7HIZwrI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "48dcbaf7fa799509cbec85d55b8d62dcf1477d57", + "rev": "a558f7ac29f50c4b937fb5c102f587678ae1c9fb", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } @@ -60,21 +59,6 @@ "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 62fd26e..9b8f89f 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,9 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; - nixos-unstable.url = "github:NixOS/nixpkgs/master"; + nixpkgs.url = "github:NixOS/nixpkgs/release-23.05"; + nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/release-23.05"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -30,6 +30,11 @@ inherit system; config.allowUnfree = true; + + config.permittedInsecurePackages = [ + "openssl-1.1.1t" + "openssl-1.1.1u" + ]; }; wrapUtils = { pkgs, unstablePkgs, system }: diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index d4a6a57..07d36fc 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -1,34 +1,26 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htbaz.giugl.io"; - network = import ./network.nix; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - bazarr = { - enable = true; - group = "media"; - }; + services.bazarr = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:6767"; - extraConfig = auth_block { - access_role = "bazarr"; - }; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "wireguard" "tailscale" ]; + locations."/" = { + allowLan = true; + port = 6767; + + allow = [ + wireguard.net + tailscale.net + ]; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - users.groups.media.members = [ "bazarr" ]; } diff --git a/hosts/architect/calibre.nix b/hosts/architect/calibre.nix index 185bc75..362a4f0 100644 --- a/hosts/architect/calibre.nix +++ b/hosts/architect/calibre.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "books.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -29,9 +31,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "calibre-web" ]; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index ad5e343..6d2ec6d 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -1,11 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let pubkeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; - hostname = "architect"; - network = import ./network.nix; + domain = "devs.giugl.io"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings; in { imports = [ @@ -29,7 +31,7 @@ in ./prowlarr.nix ./libreddit.nix ./invidious.nix -# ./lidarr.nix + # ./lidarr.nix # ./navidrome.nix ./jellyfin.nix ./prosody.nix @@ -37,11 +39,32 @@ in #./calibre.nix ./docker.nix ./keycloak.nix - ./runas.nix + # ./runas.nix ./tailscale.nix - ./searx.nix + # ./searx.nix + #./plex.nix + ./headscale.nix ]; + architect = { + networks.lan = { + interface = "enp5s0"; + net = "10.0.0.0/24"; + devices = { + vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; }; + + architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; }; + router = { address = "10.0.0.1"; hostname = "router.${domain}"; }; + dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; }; + }; + }; + + firewall = { + openTCP = [ 22 ]; + openTCPVPN = [ 22 ]; + }; + }; + time.timeZone = "Europe/Rome"; users.users.giulio.openssh.authorizedKeys.keys = pubkeys; boot = { @@ -58,13 +81,15 @@ in }; }; - kernelParams = [ - "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" + kernelParams = with config.architect.networks.lan; [ + "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off" "nvme_core.default_ps_max_latency_us=5500" "zfs_arc_max=1073741824" "memmap=32M$0x4ca6f9478" ]; + kernelPackages = pkgs.linuxPackages; + kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; loader = { @@ -77,33 +102,24 @@ in supportedFilesystems = [ "zfs" ]; zfs.requestEncryptionCredentials = true; - tmpOnTmpfsSize = "50%"; + tmp.tmpfsSize = "50%"; }; - networking = { - hostName = hostname; + networking = with config.architect.networks.lan; { + hostName = "architect"; hostId = "49350853"; useDHCP = false; - defaultGateway = "10.0.0.1"; + defaultGateway = devices.router.address; interfaces = { - enp5s0.ipv4.addresses = [{ - address = network.architect-lan; + ${interface}.ipv4.addresses = [{ + address = devices.architect.address; prefixLength = 24; }]; enp6s0.useDHCP = false; wlp4s0.useDHCP = false; }; - extraHosts = '' - 127.0.0.1 ${hostname}.devs.giugl.io localhost + extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + '' - # LAN - ${network.architect-lan} ${hostname}.devs.giugl.io - - ${network.dvr-lan} dvr.devs.giugl.io - ${network.nas-lan} nas.devs.giugl.io - ${network.router-lan} router-manduria.devs.giugl.io - 192.168.1.1 vodafone.station - # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv @@ -130,11 +146,6 @@ in driSupport = true; }; - architect.firewall = { - openTCP = [ 22 ]; - openTCPVPN = [ 22 ]; - }; - services = { fwupd.enable = true; das_watchdog.enable = true; @@ -142,8 +153,12 @@ in xserver.videoDrivers = [ "nvidia" ]; openssh = { enable = true; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; + + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + extraConfig = '' MaxAuthTries 15 ''; @@ -153,6 +168,7 @@ in environment = { variables = { LIBVA_DRIVER_NAME = "vdpau"; }; - systemPackages = with pkgs; [ cachix ]; + systemPackages = with pkgs; [ cachix linuxPackages.usbip ]; }; } + diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix index cf3a781..98522f8 100644 --- a/hosts/architect/deluge.nix +++ b/hosts/architect/deluge.nix @@ -2,8 +2,10 @@ let domain = "htdel.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; listenPorts = [ 51413 51414 ]; in @@ -54,9 +56,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "deluge" ]; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 4121292..801cbae 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,48 +1,53 @@ { config, pkgs, lib, ... }: let - adguard_webui_port = 3031; - adguard_dns_port = "5300"; - dnscrypt_listen_port = "5353"; + domain = "adguard.architect.devs.giugl.io"; in { - architect.firewall.openUDPVPN = [ 53 ]; + architect = { + firewall.openUDPVPN = [ 53 ]; + + vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + + locations."/" = with config; { + port = services.adguardhome.settings.bind_port; + allow = with architect.networks; [ lan.net tailscale.net ]; + deny = [ + architect.networks."lan".devices.router.address + ]; + }; + }; + }; services = { dnsmasq = { enable = true; - # adguard port - servers = [ "127.0.0.1#${adguard_dns_port}" ]; - extraConfig = '' - localise-queries - min-cache-ttl=120 - max-cache-ttl=2400 - ''; + settings = { + server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ]; + localise-queries = true; + min-cache-ttl = 120; + max-cache-ttl = 2400; + domain = [ + "runas.rocks" + "giugl.io" + "devs.runas.rocks" + "devs.giugl.io" + ]; + }; }; adguardhome = { - enable = true; - port = adguard_webui_port; - }; - - dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; - ipv4_servers = true; - ipv6_servers = false; - block_ipv6 = true; - dnscrypt_servers = true; - doh_servers = true; - require_nolog = true; - require_nofilter = true; - timeout = 350; - lb_strategy = "p4"; - lb_estimator = true; - ignore_system_dns = true; - fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; - cache_min_ttl = 450; - cache_max_ttl = 2400; + bind_port = 5353; + dns = { + port = 5300; + }; + upstream_dns = [ + "tls://architect.d65174.dns.nextdns.io" + "https://dns.nextdns.io/d65174/architect" + ]; }; }; }; diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix index 6e294da..69b0ee5 100644 --- a/hosts/architect/docker.nix +++ b/hosts/architect/docker.nix @@ -1,10 +1,23 @@ +{ config, ... }: + { - virtualisation.docker = { - enable = true; - extraOptions = '' - --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker - ''; - enableOnBoot = false; + architect.networks.docker = { + interface = "docker0"; + net = "172.17.0.0/16"; }; + + virtualisation = { + oci-containers.backend = "docker"; + + docker = { + enable = true; + extraOptions = '' + --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker + ''; + enableOnBoot = false; + daemon.settings.iptables = false; + }; + }; + users.users.giulio.extraGroups = [ "docker" ]; } diff --git a/hosts/architect/fail2ban.nix b/hosts/architect/fail2ban.nix index 2dfa35c..65836f0 100644 --- a/hosts/architect/fail2ban.nix +++ b/hosts/architect/fail2ban.nix @@ -1,9 +1,14 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: + +{ services.fail2ban = { enable = true; package = pkgs.fail2ban; packageFirewall = pkgs.nftables; bantime-increment.enable = true; - ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; + ignoreIP = [ + config.architect.networks.lan.net + config.architect.networks.tailscale.net + ]; }; } diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 1f43c40..255f46f 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -1,13 +1,38 @@ { config, lib, ... }: -with import ./network.nix; -with lib; - let - openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; - openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; - openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; - openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; + openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; + openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; + openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; + openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; + + deviceAddress = interface: device: + config.architect.networks.${interface}.devices.${device}.address; + + gdevices = [ + (deviceAddress "tailscale" "architect") + (deviceAddress "tailscale" "dodino") + (deviceAddress "tailscale" "manduria") + (deviceAddress "tailscale" "kmerr") + (deviceAddress "tailscale" "chuck") + ]; + + wireguardToWAN = [ + (deviceAddress "wireguard" "shield") + (deviceAddress "wireguard" "parina") + (deviceAddress "wireguard" "parina-ipad") + (deviceAddress "wireguard" "germano") + ]; + + frameccaDevices = [ + (deviceAddress "wireguard" "framecca") + (deviceAddress "wireguard" "framecca_one") + (deviceAddress "wireguard" "framecca_two") + (deviceAddress "wireguard" "framecca_three") + (deviceAddress "wireguard" "framecca_four") + ]; + + clientToClientWireguard = frameccaDevices; in { networking = { @@ -17,7 +42,7 @@ in nftables = { enable = true; - ruleset = '' + ruleset = with config.architect.networks; '' table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; @@ -29,6 +54,9 @@ in } table ip nat { + chain DOCKER { + type nat hook prerouting priority dstnat; policy accept; + } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } @@ -43,11 +71,11 @@ in chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg + oifname ${lan.interface} ip saddr {${ + lib.concatStringsSep "," wireguardToWAN }} masquerade - oifname ${wan-if} ip saddr ${docker-net} masquerade - oifname ${wan-if} ip saddr ${tailscale-net} masquerade + oifname ${lan.interface} ip saddr ${docker.net} masquerade + oifname ${lan.interface} ip saddr ${tailscale.net} masquerade } } @@ -57,12 +85,13 @@ in ct state invalid,untracked drop comment "drop invalid" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" - iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" - iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" - iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" - iifname ${tailscale-if} ip saddr ${tailscale-net} accept + iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}" + iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}" + iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}" + iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}" + iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}" + iifname ${tailscale.interface} ip saddr ${tailscale.net} accept + iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } @@ -115,17 +144,17 @@ in iifname "lo" accept comment "loopback" ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" - ip saddr ${lan-net} accept comment "lan > local" - ip saddr ${tailscale-net} accept comment "tailscale > local" + ip saddr ${lan.net} accept comment "lan > local" + iifname ${docker.interface} accept + ip saddr ${tailscale.net} accept comment "tailscale > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" - iifname ${wan-if} tcp dport {${openTCP}} accept - iifname ${wan-if} udp dport {${openUDP}} accept - iifname ${vpn-if} tcp dport {${openTCPVPN}} accept - iifname ${vpn-if} udp dport {${openUDPVPN}} accept + iifname ${lan.interface} tcp dport {${openTCP}} accept + iifname ${lan.interface} udp dport {${openUDP}} accept + iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept + iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept - iifname ${vpn-if} icmp type echo-request accept - iifname ${docker-if} udp dport 53 accept + iifname ${wireguard.interface} icmp type echo-request accept jump filter_drop } @@ -134,17 +163,17 @@ in ct state established,related accept # client to client - ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${ - lib.concatStringsSep "," c2c-wg + ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${ + lib.concatStringsSep "," clientToClientWireguard }} accept # nat to wan - oifname ${wan-if} ip saddr {${ - lib.concatStringsSep "," towan-wg + oifname ${lan.interface} ip saddr {${ + lib.concatStringsSep "," wireguardToWAN }} accept - oifname ${wan-if} ip saddr ${docker-net} accept - oifname ${wan-if} ip saddr ${tailscale-net} accept + oifname ${lan.interface} ip saddr ${docker.net} accept + oifname ${lan.interface} ip saddr ${tailscale.net} accept jump filter_drop } diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 3f4c8a9..62eb732 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -2,40 +2,30 @@ let domain = "git.giugl.io"; - network = import ./network.nix; in { - architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; + architect = { + firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; + vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.gitea.settings.server.HTTP_PORT; + }; + }; services.gitea = { enable = true; database.type = "sqlite3"; - domain = domain; appName = "Gitea"; - rootUrl = "https://${domain}"; + # https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453 + lfs.enable = true; settings = { server = { - LFS_START_SERVER = true; + DOMAIN = domain; + ROOT_URL = "https://${domain}"; SSH_PORT = 22; + HTTP_PORT = 3001; }; openid.enable_openid_signin = true; }; }; - - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - # it does not work, it breaks gitea's web portal - # extraConfig = auth_block { access_role = "git"; }; - }; - }; - - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - } diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix new file mode 100644 index 0000000..265bc6a --- /dev/null +++ b/hosts/architect/headscale.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: + +let + domain = "vipienne.giugl.io"; +in +{ + architect.firewall = { + openUDP = [ config.services.tailscale.port ]; + }; + + services = { + headscale = { + enable = true; + package = pkgs.unstablePkgs.headscale; + port = 1194; + address = "0.0.0.0"; + + settings = { + server_url = "https://${domain}"; + log.level = "debug"; + dns_config = { + magic_dns = true; + base_domain = "giugl.io"; + override_local_dns = true; + nameservers = [ config.architect.networks.tailscale.devices.architect.address ]; + }; + logtail.enabled = false; + ip_prefixes = [ config.architect.networks.tailscale.net ]; + noise.private_key_path = "/var/lib/headscale/noise_private.key"; + }; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + ssl_protocols TLSv1.2 TLSv1.3; + ''; + locations."/" = { + proxyPass = + "http://127.0.0.1:${toString config.services.headscale.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + proxy_buffering off; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''; + }; + }; + }; +} diff --git a/hosts/architect/invidious.nix b/hosts/architect/invidious.nix index 9dcfbf8..7b67e64 100644 --- a/hosts/architect/invidious.nix +++ b/hosts/architect/invidious.nix @@ -1,27 +1,16 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "tube.giugl.io"; - network = import ./network.nix; in { - services = { - invidious = { - enable = true; - port = 9092; - package = pkgs.unstablePkgs.invidious; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:9092"; }; - }; + services.invidious = { + enable = true; + package = pkgs.unstablePkgs.invidious; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.invidious.port; }; - - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; } diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index e2ad9fc..5d319e3 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -1,62 +1,49 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let - network = import ./network.nix; domain = "media.giugl.io"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + port = 8096; + allowLan = true; in { # needed since StateDirectory does not accept symlinks systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce ""; - services = { - jellyfin = { - enable = true; - group = "media"; - package = pkgs.unstablePkgs.jellyfin; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "lan" "wireguard" "tailscale" ]; + locations = { + "/" = { + inherit port allowLan; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } + - '' - # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; - # Disable buffering when the nginx proxy gets very resource heavy upon streaming - proxy_buffering off; - ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:8096"; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; + allow = [ + wireguard.net + tailscale.net + ]; }; - locations."/socket" = { - proxyPass = "http://127.0.0.1:8096"; + "/socket" = { + inherit port allowLan; + proxyWebsockets = true; - # extraConfig = '' - # allow 10.0.0.0/24; - # allow 10.3.0.0/24; - # deny all; - # ''; + allow = [ + wireguard.net + tailscale.net + ]; }; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; + services.jellyfin = { + enable = true; + group = "media"; + package = pkgs.unstablePkgs.jellyfin; + }; - users.groups.media.members = [ "jellyfin" ]; - users.groups.video.members = [ "jellyfin" ]; - users.groups.render.members = [ "jellyfin" ]; + users.groups = { + media.members = [ "jellyfin" ]; + video.members = [ "jellyfin" ]; + render.members = [ "jellyfin" ]; + }; fileSystems."/tmp/jellyfin" = { device = "none"; diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix index 6972892..c8e7aa6 100644 --- a/hosts/architect/keycloak.nix +++ b/hosts/architect/keycloak.nix @@ -1,8 +1,10 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: let - network = import ./network.nix; domain = "auth.giugl.io"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -73,8 +75,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix index e652599..c8313d3 100644 --- a/hosts/architect/libreddit.nix +++ b/hosts/architect/libreddit.nix @@ -1,26 +1,16 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "reddit.giugl.io"; - network = import ./network.nix; in { - services = { - libreddit = { - enable = true; - port = 9090; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { proxyPass = "http://127.0.0.1:9090"; }; - }; + services.libreddit = { + enable = true; + port = 9090; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/".port = config.services.libreddit.port; }; - - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; } diff --git a/hosts/architect/librephotos.nix b/hosts/architect/librephotos.nix new file mode 100644 index 0000000..82d933e --- /dev/null +++ b/hosts/architect/librephotos.nix @@ -0,0 +1,82 @@ +{ config, lib, ... }: + +let + domain = "photos.giugl.io"; + backendPort = 8001; + frontendPort = 3000; +in +{ + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" ]; + + locations."/" = { + host = "172.17.0.1"; + port = frontendPort; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + + locations."~ ^/(api|media)/" = { + host = "172.17.0.1"; + port = backendPort; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + + locations."/ws" = { + host = "172.17.0.1"; + port = backendPort; + proxyWebsockets = true; + # allowLan = true; + # allow = [ config.architect.networks."tailscale".net ]; + }; + }; + + services.redis.servers."librephotos" = { + enable = true; + port = 1233; + bind = "172.17.0.1"; + extraParams = [ "--protected-mode no" ]; + }; + + virtualisation.oci-containers = { + containers = { + librephotos-front = { + image = "reallibrephotos/librephotos-frontend:latest"; + autoStart = true; + ports = [ + "172.17.0.1:${toString frontendPort}:${toString frontendPort}" + ]; + }; + + librephotos-back = { + image = "reallibrephotos/librephotos:latest"; + autoStart = true; + + ports = [ + "172.17.0.1:${toString backendPort}:${toString backendPort}" + ]; + + environment = { + SECRET_KEY = "LOLOL"; + BACKEND_HOST = domain; + ADMIN_EMAIL = "me@giugl.io"; + ADMIN_USERNAME = "giulio"; + ADMIN_PASSWORD = "giulio"; + ALLOWED_HOSTS = domain; + DB_BACKEND = "mysql"; + DB_NAME = "librephotos"; + DB_USER = "librephotos"; + DB_PASS = "librephotos"; + DB_HOST = "172.17.0.1"; + DB_PORT = toString config.services.mysql.settings.mysqld.port; + REDIS_HOST = "172.17.0.1"; + REDIS_PORT = toString config.services.redis.servers."librephotos".port; + MAPBOX_API_KEY = "SOME_KEY"; + WEB_CONCURRENCY = "24"; + DEBUG = "0"; + }; + }; + }; + }; +} diff --git a/hosts/architect/lidarr.nix b/hosts/architect/lidarr.nix index 15f3a9b..c07bc97 100644 --- a/hosts/architect/lidarr.nix +++ b/hosts/architect/lidarr.nix @@ -1,9 +1,11 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htlid.giugl.io"; - network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -25,10 +27,10 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - + users.groups.media.members = [ "lidarr" ]; } diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 19feccb..ba13c57 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let domain = "runas.rocks"; - network = import ./network.nix; db_name = "matrix-synapse-runas.rocks"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { @@ -111,9 +113,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - } diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix index 96a4a35..f2a4f24 100644 --- a/hosts/architect/minecraft.nix +++ b/hosts/architect/minecraft.nix @@ -1,8 +1,10 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: let domain = "minecraft.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall.openTCP = [ 25565 ]; @@ -14,10 +16,10 @@ in package = pkgs.unstablePkgs.minecraft-server; serverProperties = { motd = "Welcome on the RuNas server!"; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix index 6e03f79..c8d0c7b 100644 --- a/hosts/architect/minio.nix +++ b/hosts/architect/minio.nix @@ -1,12 +1,17 @@ -{ lib, ... }: +{ config, lib, pkgs, ... }: let domain = "s3.giugl.io"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { - minio.enable = true; + minio = { + enable = true; + package = pkgs.minio_legacy_fs; + }; nginx.virtualHosts.${domain} = { forceSSL = true; @@ -15,9 +20,8 @@ in proxyPass = "http://127.0.0.1:9000"; extraConfig = '' client_max_body_size 500M; - allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices } - allow ${network.manduria-wg}; + allow ${config.architect.networks.lan.net}; + allow ${config.architect.networks.tailscale.net}; deny all; ''; }; @@ -25,8 +29,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix index ae3f660..753f059 100644 --- a/hosts/architect/navidrome.nix +++ b/hosts/architect/navidrome.nix @@ -1,91 +1,81 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "music.runas.rocks"; - network = import ./network.nix; library_path = "/media/Music"; beets_config = "/media/beets.conf"; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - navidrome = { - enable = true; + services.navidrome = { + enable = true; - settings = { - MusicFolder = library_path; - LastFM.enable = true; - LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; - LastFM.Secret = "d1296896126f4caae47407aecf080b25"; - Spotify.ID = "3900c029b4f34f3fb61d554dda64794d"; - Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a"; - EnableGravatar = true; - LogLevel = "WARN"; - }; - }; - - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:4533"; - }; - extraConfig = auth_block { access_role = "navidrome"; }; + settings = { + MusicFolder = library_path; + LastFM.enable = true; + LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; + LastFM.Secret = "d1296896126f4caae47407aecf080b25"; + Spotify.ID = "3900c029b4f34f3fb61d554dda64794d"; + Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a"; + EnableGravatar = true; + LogLevel = "WARN"; }; }; - systemd.services = { - "beets-update" = { - enable = true; - # requires = [ "remove-badmp3.service" "remove-badflac.service" ]; - before = [ "beets-import.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update"; - }; - }; - - "beets-import" = { - enable = true; - path = [ pkgs.imagemagick ]; - requires = [ "beets-update.service" ]; - after = [ "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = - "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; - }; - startAt = "weekly"; - }; - - "remove-badmp3" = { - enable = true; - before = [ "beets-import.service" "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = '' - ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \; - ''; - }; - }; - - "remove-badflac" = { - enable = true; - before = [ "beets-import.service" "beets-update.service" ]; - serviceConfig = { - Type = "oneshot"; - ExecStart = '' - ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; - ''; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "lan" "tailscale" "wireguard" ]; + locations."/" = { + port = 4533; + allowLan = true; + allow = [ config.architect.networks."tailscale".net ]; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; + # systemd.services = { + # "beets-update" = { + # enable = true; + # # requires = [ "remove-badmp3.service" "remove-badflac.service" ]; + # before = [ "beets-import.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update"; + # }; + # }; + + # "beets-import" = { + # enable = true; + # path = [ pkgs.imagemagick ]; + # requires = [ "beets-update.service" ]; + # after = [ "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = + # "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; + # }; + # startAt = "weekly"; + # }; + + # "remove-badmp3" = { + # enable = true; + # before = [ "beets-import.service" "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = '' + # ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \; + # ''; + # }; + # }; + + # "remove-badflac" = { + # enable = true; + # before = [ "beets-import.service" "beets-update.service" ]; + # serviceConfig = { + # Type = "oneshot"; + # ExecStart = '' + # ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; + # ''; + # }; + # }; + # }; users.groups.media.members = [ "navidrome" ]; } diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix deleted file mode 100644 index 5829676..0000000 --- a/hosts/architect/network.nix +++ /dev/null @@ -1,64 +0,0 @@ -rec { - # interfaces - wan-if = "enp5s0"; - vpn-if = "wg0"; - proxy-if = "proxy"; - docker-if = "docker0"; - tailscale-if = "ts0"; - - # nets - lan-net = "10.0.0.0/24"; - vpn-net = "10.3.0.0/24"; - external_lan-net = "192.168.1.0/24"; - docker-net = "172.17.0.0/16"; - tailscale-net = "100.64.0.0/10"; - - # ips - router-lan = "10.0.0.1"; - dvr-lan = "10.0.0.2"; - nas-lan = "10.0.0.3"; - architect-lan = "10.0.0.250"; - - architect-wg = "10.3.0.1"; - manduria-wg = "10.3.0.5"; - antonio-wg = "10.3.0.6"; - gbeast-wg = "10.3.0.7"; - shield-wg = "10.3.0.12"; - salvatore-wg = "10.3.0.16"; - papa-wg = "10.3.0.17"; - defy-wg = "10.3.0.18"; - germano-wg = "10.3.0.19"; - flavio-wg = "10.3.0.20"; - tommy-wg = "10.3.0.21"; - alain-wg = "10.3.0.22"; - dima-wg = "10.3.0.23"; - mikey-wg = "10.3.0.24"; - andrew-wg = "10.3.0.25"; - mikeylaptop-wg = "10.3.0.26"; - andrewdesktop-wg = "10.3.0.27"; - jacopo-wg = "10.3.0.28"; - frznn-wg = "10.3.0.29"; - ludo-wg = "10.3.0.30"; - parina-wg = "10.3.0.31"; - nilo-wg = "10.3.0.32"; - parina-ipad-wg = "10.3.0.33"; - kclvm-wg = "10.3.0.34"; - framecca-wg = "10.3.0.35"; - - framecca_one-wg = "10.3.0.36"; - framecca_two-wg = "10.3.0.37"; - framecca_three-wg = "10.3.0.38"; - framecca_four-wg = "10.3.0.39"; - - giuliophone-ts = "100.68.68.46"; - architect-ts = "100.67.205.28"; - giuliopc-ts = "100.124.78.64"; - dodino-ts = "100.106.244.35"; - - framecca-devices = [ framecca-wg framecca_one-wg framecca_three-wg framecca_four-wg ]; - c2c-wg = framecca-devices; - - # groups - gdevices = [ giuliophone-ts architect-ts giuliopc-ts dodino-ts ]; - towan-wg = [ shield-wg parina-wg parina-ipad-wg germano-wg ] ++ framecca-devices; -} diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 519f6f8..5ad507f 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -1,15 +1,22 @@ -{ pkgs, ... }: +{ pkgs, config, lib, ... }: let domain = "cloud.giugl.io"; - network = import ./network.nix; redis_port = 6379; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services = { + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + }; + mysql = { enable = true; - package = pkgs.unstablePkgs.mysql80; + package = pkgs.mariadb; }; redis = { @@ -24,8 +31,9 @@ in enable = true; hostName = domain; https = true; - package = pkgs.unstablePkgs.nextcloud25; + package = pkgs.unstablePkgs.nextcloud26; datadir = "/services/nextcloud"; + configureRedis = true; caching = { redis = true; }; @@ -33,15 +41,16 @@ in autoUpdateApps.enable = true; autoUpdateApps.startAt = "05:00:00"; + maxUploadSize = "50G"; + config = { overwriteProtocol = "https"; dbtype = "mysql"; - dbuser = "oc_giulio2"; + dbuser = "nextcloud"; dbhost = "localhost"; - dbname = "nextcloud_final"; + dbname = "nextcloud"; dbpassFile = "/secrets/nextcloud/dbpass.txt"; - adminpassFile = "/secrets/nextcloud/adminpass.txt"; - adminuser = "giulio"; + adminpassFile = "/secrets/nextcloud/dbpass.txt"; extraTrustedDomains = [ "${domain}" ]; }; }; @@ -53,13 +62,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; - services.nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - }; } diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 18817f3..a0b1bab 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -8,7 +8,7 @@ services.nginx = { enable = true; - package = pkgs.openresty; + package = pkgs.nginx; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; @@ -32,63 +32,64 @@ }; }; - appendHttpConfig = - let - extraPureLuaPackages = with pkgs.luajitPackages; [ - lua-resty-openidc - lua-resty-http - lua-resty-session - lua-resty-jwt - lua-resty-openssl - ]; - luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; - makeLuaPath = lib.concatMapStringsSep ";" luaPath; - in - '' - # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed - proxy_ssl_server_name on; + # appendHttpConfig = + # let + # extraPureLuaPackages = with pkgs.luajitPackages; [ + # lua-resty-openidc + # lua-resty-http + # lua-resty-session + # lua-resty-jwt + # lua-resty-openssl + # ]; + # luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; + # makeLuaPath = lib.concatMapStringsSep ";" luaPath; + # in + # '' + # # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed + # proxy_ssl_server_name on; - lua_package_path '${makeLuaPath extraPureLuaPackages};;'; - lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - lua_ssl_verify_depth 5; + # lua_package_path '${makeLuaPath extraPureLuaPackages};;'; + # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + # lua_ssl_verify_depth 5; - # cache for OIDC discovery metadata - lua_shared_dict discovery 1m; - lua_shared_dict jwks 1m; + # # cache for OIDC discovery metadata + # lua_shared_dict discovery 1m; + # lua_shared_dict jwks 1m; - # https://github.com/openresty/lua-resty-redis/issues/159 - resolver local=on ipv6=off; + # # https://github.com/openresty/lua-resty-redis/issues/159 + # resolver local=on ipv6=off; - init_worker_by_lua_block { - function check_role (res, role) - if res.user.roles == nil then - return false - end + # init_worker_by_lua_block { + # function check_role (res, role) + # if res.user.roles == nil then + # return false + # end - for _,v in pairs(res.user.roles) do - if string.lower(v) == role then - return true - end - end + # for _,v in pairs(res.user.roles) do + # if string.lower(v) == role then + # return true + # end + # end - return false - end + # return false + # end - function is_ip_whitelisted(ip, whitelist) - for _, x in ipairs(whitelist) do - if ip == x then - return true - end - end + # function is_ip_whitelisted(ip, whitelist) + # for _, x in ipairs(whitelist) do + # if ip == x then + # return true + # end + # end - return false - end - } - ''; + # return false + # end + # } + # ''; appendConfig = '' worker_processes 24; ''; }; + users.groups.acme.members = [ "nginx" ]; } diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 07fedfe..180915e 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -1,34 +1,22 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htnzb.giugl.io"; - network = import ./network.nix; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - nzbget = { - enable = true; - group = "media"; - }; + services.nzbget = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:6789"; - extraConfig = auth_block { - access_role = "nzbget"; - }; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" "lan" ]; + + locations."/" = { + port = 6789; + allowLan = true; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - users.groups.media.members = [ "nzbget" ]; } diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix index cd2fd31..4c6326b 100644 --- a/hosts/architect/openid.nix +++ b/hosts/architect/openid.nix @@ -3,46 +3,48 @@ { openresty_oidc_block = { access_role ? "", whitelisted_ips ? [ ] }: '' - access_by_lua_block { - local opts = { - discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", - client_id = "nginx", - client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", - logout_path = "/logout", - redirect_after_logout_uri = "/", - redirect_uri = "/redirect_uri", - keepalive = "yes", - accept_none_alg = true, - revoke_tokens_on_logout = true, - -- access token valid for a day - access_token_expires_in = 86400 - } - - ${lib.optionalString (whitelisted_ips != []) '' - local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} - - if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then - return - end - ''} - - -- call introspect for OAuth 2.0 Bearer Access Token validation - local res, err = require("resty.openidc").authenticate(opts) - - if err then - ngx.status = 403 - ngx.say(err) - ngx.exit(ngx.HTTP_FORBIDDEN) - end - - ${lib.optionalString (access_role != "") '' - if not check_role(res, "${access_role}") then - ngx.status = 401 - ngx.header.content_type = 'text/html'; - ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") - ngx.exit(ngx.HTTP_UNAUTHORIZED) - end - ''} - } + ''; + # access_by_lua_block { + # local opts = { + # discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", + # client_id = "nginx", + # client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", + # logout_path = "/logout", + # redirect_after_logout_uri = "/", + # redirect_uri = "/redirect_uri", + # keepalive = "yes", + # accept_none_alg = true, + # revoke_tokens_on_logout = true, + # -- access token valid for a day + # access_token_expires_in = 86400 + # } + + # ${lib.optionalString (whitelisted_ips != []) '' + # local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} + + # if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then + # return + # end + # ''} + + # -- call introspect for OAuth 2.0 Bearer Access Token validation + # local res, err = require("resty.openidc").authenticate(opts) + + # if err then + # ngx.status = 403 + # ngx.say(err) + # ngx.exit(ngx.HTTP_FORBIDDEN) + # end + + # ${lib.optionalString (access_role != "") '' + # if not check_role(res, "${access_role}") then + # ngx.status = 401 + # ngx.header.content_type = 'text/html'; + # ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") + # ngx.exit(ngx.HTTP_UNAUTHORIZED) + # end + # ''} + # } + # ''; } diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index 5f530b9..6138eb8 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -2,24 +2,155 @@ with lib; +let + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; +in { - options.architect.firewall = { - openTCP = mkOption { - type = types.listOf types.int; - default = [ ]; + options.architect = { + firewall = { + openTCP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openTCPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; }; - openUDP = mkOption { - type = types.listOf types.int; - default = [ ]; + + networks = mkOption { + type = types.attrsOf (types.submodule { + options = { + interface = mkOption { + type = types.str; + description = "The network interface name."; + }; + + net = mkOption { + type = types.str; + description = "The network address in CIDR format."; + }; + + devices = mkOption { + type = types.attrsOf (types.submodule { + options = { + address = mkOption { + type = types.str; + description = "The IP address of the device."; + }; + + hostname = mkOption { + type = types.str; + description = "The hostname of the device."; + }; + }; + }); + default = { }; + description = "An attribute set of devices with their configurations."; + }; + }; + }); + default = { }; + description = "An attribute set of networks with their configurations."; }; - openTCPVPN = mkOption { - type = types.listOf types.int; - default = [ ]; - }; - openUDPVPN = mkOption { - type = types.listOf types.int; - default = [ ]; + + vhost = mkOption { + type = types.attrsOf (types.submodule { + options = { + dnsInterfaces = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of interfaces to add extra DNS hosts for this vhost."; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule { + options = { + extraConfig = mkOption { + type = types.str; + description = "Extra configuration for the location."; + default = ""; + }; + + allowLan = mkOption { + type = types.bool; + default = false; + }; + + proxyWebsockets = mkOption { + type = types.bool; + default = false; + }; + + host = mkOption { + type = types.str; + description = "The host for the location."; + default = "127.0.0.1"; + }; + + port = mkOption { + type = types.int; + description = "The port number for the location."; + }; + + allow = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to allow."; + }; + + deny = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "IP address or CIDR block to deny."; + }; + }; + }); + default = { }; + description = "An attribute set of location configurations."; + }; + }; + }); + default = { }; + description = "An attribute set of domain configurations."; }; }; + config = { + services.nginx.virtualHosts = mapAttrs + (domain: conf: { + forceSSL = true; + enableACME = true; + locations = mapAttrs + (path: location: { + proxyPass = "http://${location.host}:${toString location.port}"; + proxyWebsockets = location.proxyWebsockets; + extraConfig = '' + ${optionalString location.allowLan "deny 10.0.0.1;"} + ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} + ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} + ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} + '' + location.extraConfig; + }) + conf.locations; + }) + config.architect.vhost; + + networking.extraHosts = concatStringsSep "\n" ( + mapAttrsToList + (domain: conf: concatMapStringsSep "\n" + (iface: "${architectInterfaceAddress iface} ${domain}") + conf.dnsInterfaces) + config.architect.vhost + ); + }; } diff --git a/hosts/architect/photoprism.nix b/hosts/architect/photoprism.nix new file mode 100644 index 0000000..c30b0e1 --- /dev/null +++ b/hosts/architect/photoprism.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: + +let + domain = "photos.giugl.io"; +in +{ + services.photoprism = { + enable = true; + package = pkgs.photoprism; + originalsPath = "/var/lib/private/photoprism/originals"; + address = "0.0.0.0"; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "en"; + PHOTOPRISM_DATABASE_DRIVER = "mysql"; + PHOTOPRISM_DATABASE_NAME = "photoprism"; + PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock"; + PHOTOPRISM_DATABASE_USER = "photoprism"; + PHOTOPRISM_SITE_URL = "https://${domain}"; + PHOTOPRISM_SITE_TITLE = "PePrism"; + PHOTOPRISM_FFMPEG_ENCODER = "nvidia"; + PHOTOPRISM_INIT = "tensorflow"; + NVIDIA_VISIBLE_DEVICES = "all"; + NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility"; + PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg"; + }; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "lan" ]; + locations."/" = { + port = config.services.photoprism.port; + allowLan = true; + allow = [ config.architect.networks."tailscale".net ]; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix index 285abcd..bfaaee4 100644 --- a/hosts/architect/plex.nix +++ b/hosts/architect/plex.nix @@ -1,16 +1,25 @@ -{ pkgs, lib, ... }: +{ pkgs, config, lib, ... }: let - domain = "media.giugl.io"; - network = import ./network.nix; + domain = "plex.giugl.io"; + port = 32400; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { + architect.firewall = { + openTCP = [ 32400 3005 8324 32469 ]; + openUDP = [ 1900 5353 32410 32412 32413 32414 ]; + }; + services.plex = { enable = true; package = pkgs.unstablePkgs.plex; - dataDir = "/plex"; + # dataDir = "/plex"; }; + services.nginx = { enable = true; # give a name to the virtual host. It also becomes the server name. @@ -19,10 +28,6 @@ in enableACME = true; http2 = true; extraConfig = '' - allow 10.3.0.0/24; - allow 10.0.0.0/24; - deny all; - #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; @@ -77,15 +82,17 @@ in # Buffering off send to the client as soon as the data is received from Plex. proxy_redirect off; proxy_buffering off; + + add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; ''; - locations."/" = { proxyPass = "http://127.0.0.1:32400"; }; + locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; }; }; - + networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups.media.members = [ "plex" ]; diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix index d9a257a..d5c8302 100644 --- a/hosts/architect/prosody.nix +++ b/hosts/architect/prosody.nix @@ -4,7 +4,9 @@ let domain = "xmpp.giugl.io"; conference_domain = "conference.${domain}"; upload_domain = "uploads.${domain}"; - network = import ./network.nix; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { architect.firewall = { @@ -42,9 +44,9 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; users.groups = { diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix index 17fdeba..2fff070 100644 --- a/hosts/architect/prowlarr.nix +++ b/hosts/architect/prowlarr.nix @@ -1,40 +1,19 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htpro.giugl.io"; - network = import ./network.nix; in { - services = { - prowlarr.enable = true; + services.prowlarr.enable = true; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9696"; - extraConfig = '' - allow 10.0.0.0/24; - ${lib.concatMapStrings (x: "allow ${x};") network.gdevices} - deny all; - ''; - }; + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" ]; - # locations."/api" = { - # proxyPass = "http://127.0.0.1:9696/prowlarr/api"; - # }; - # - # locations."/Content" = { - # proxyPass = "http://127.0.0.1:9696/prowlarr/Content"; - # }; + locations."/" = { + port = 9696; + allowLan = true; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - users.groups.media.members = [ "prowlarr" ]; } diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index 0d042d0..46491cd 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -1,34 +1,26 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htrad.giugl.io"; - network = import ./network.nix; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - radarr = { - enable = true; - group = "media"; - }; + services.radarr = { + enable = true; + group = "media"; + }; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:7878"; - extraConfig = auth_block { - access_role = "radarr"; - }; - }; + architect.vhost.${domain} = with config.architect.networks; { + dnsInterfaces = [ "wireguard" "tailscale" ]; + locations."/" = { + port = 7878; + allowLan = true; + + allow = [ + wireguard.net + tailscale.net + ]; }; }; - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - users.groups.media.members = [ "radarr" ]; } diff --git a/hosts/architect/runas.nix b/hosts/architect/runas.nix index 99eb081..2bcc112 100644 --- a/hosts/architect/runas.nix +++ b/hosts/architect/runas.nix @@ -1,14 +1,17 @@ -{ services, pkgs, lib, makeBinPath, ... }: +{ config, pkgs, lib, ... }: + let domain = "runas.rocks"; runas_root = "/var/lib/runas.rocks/dist"; service_name = "runas.rocks-pull"; - network = import ./network.nix; mkStartScript = name: pkgs.writeShellScript "${name}.sh" '' set -euo pipefail cd ${runas_root} git pull origin main --rebase ''; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) architectInterfaceAddress; in { services.nginx.virtualHosts.${domain} = { @@ -39,8 +42,8 @@ in }; networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} + ${architectInterfaceAddress "lan"} ${domain} + ${architectInterfaceAddress "wireguard"} ${domain} + ${architectInterfaceAddress "tailscale"} ${domain} ''; } diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index 93c5aa1..acebe43 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -1,34 +1,22 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "htson.giugl.io"; - network = import ./network.nix; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { - services = { - sonarr = { - enable = true; - group = "media"; - }; + services.sonarr = { + enable = true; + group = "media"; + }; + + architect.vhost.${domain} = { + dnsInterfaces = [ "tailscale" "wireguard" ]; - nginx.virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8989"; - extraConfig = auth_block { - access_role = "sonarr"; - }; - }; + locations."/" = { + port = 6969; + allowLan = true; }; }; - - networking.extraHosts = '' - ${network.architect-lan} ${domain} - ${network.architect-wg} ${domain} - ${network.architect-ts} ${domain} - ''; - + users.groups.media.members = [ "sonarr" ]; } diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 43dcab0..de3dc13 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -1,24 +1,38 @@ -{ config, lib, ... }: +{ pkgs, config, lib, ... }: let - network = import ./network.nix; + domain = "devs.giugl.io"; - ifname = "ts0"; + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings; in { - architect.firewall.openUDP = [ config.services.tailscale.port ]; + architect = { + networks.tailscale = { + interface = "ts0"; + net = "100.64.0.0/10"; + + devices = { + architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; }; + kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; }; + chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; }; + dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; }; + manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; }; + tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; + ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; + alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; + parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; + }; + }; + }; services = { tailscale = { enable = true; - interfaceName = ifname; + interfaceName = config.architect.networks.tailscale.interface; + package = pkgs.unstablePkgs.tailscale; }; }; - networking.extraHosts = '' - ${network.architect-ts} architect.devs.giugl.io - ${network.giuliopc-ts} kmerr.devs.giugl.io - ${network.dodino-ts} dodino.devs.giugl.io - ${network.giuliophone-ts} chuck.devs.giugl.io - ''; + networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices; } diff --git a/hosts/architect/utilities.nix b/hosts/architect/utilities.nix new file mode 100644 index 0000000..b61bd7f --- /dev/null +++ b/hosts/architect/utilities.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: + +{ + # device.address device.hostname + generateDeviceStrings = devices: lib.concatStringsSep "\n" + (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices); + + getDeviceAddress = interface: device: + config.architect.networks.${interface}.devices.${device}.address; + + architectInterfaceAddress = interface: + config.architect.networks.${interface}.devices.architect.address; +} diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 9614a64..d793151 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,208 +1,214 @@ { config, lib, ... }: -with import ./network.nix; - let listenPort = 1194; + domain = "devs.giugl.io"; + interface = "wireguard"; + + utilities = import ./utilities.nix { inherit lib config; }; + inherit (utilities) generateDeviceStrings getDeviceAddress; + + getWireguardDeviceAddress = getDeviceAddress "wireguard"; in { - architect.firewall = { - openUDP = lib.singleton listenPort; - openUDPVPN = lib.singleton listenPort; + architect = { + firewall = { + openUDP = lib.singleton listenPort; + openUDPVPN = lib.singleton listenPort; + }; + + networks.${interface} = { + interface = "wg0"; + net = "10.3.0.0/24"; + devices = { + architect = { address = "10.3.0.1"; hostname = "architect.${domain}"; }; + antonio = { address = "10.3.0.6"; hostname = "antonio.${domain}"; }; + gbeast = { address = "10.3.0.7"; hostname = "gbeast.${domain}"; }; + shield = { address = "10.3.0.12"; hostname = "shield.${domain}"; }; + salvatore = { address = "10.3.0.16"; hostname = "salvatore.${domain}"; }; + papa = { address = "10.3.0.17"; hostname = "papa.${domain}"; }; + defy = { address = "10.3.0.18"; hostname = "defy.${domain}"; }; + germano = { address = "10.3.0.19"; hostname = "germano.${domain}"; }; + flavio = { address = "10.3.0.20"; hostname = "flavio.${domain}"; }; + alain = { address = "10.3.0.22"; hostname = "alain.${domain}"; }; + dima = { address = "10.3.0.23"; hostname = "dima.${domain}"; }; + mikey = { address = "10.3.0.24"; hostname = "mikey.${domain}"; }; + andrew = { address = "10.3.0.25"; hostname = "andrew.${domain}"; }; + mikeylaptop = { address = "10.3.0.26"; hostname = "mikeylaptop.${domain}"; }; + andrewdesktop = { address = "10.3.0.27"; hostname = "andrewdesktop.${domain}"; }; + jacopo = { address = "10.3.0.28"; hostname = "jacopo.${domain}"; }; + frznn = { address = "10.3.0.29"; hostname = "frznn.${domain}"; }; + ludo = { address = "10.3.0.30"; hostname = "ludo.${domain}"; }; + parina = { address = "10.3.0.31"; hostname = "parina.${domain}"; }; + nilo = { address = "10.3.0.32"; hostname = "nilo.${domain}"; }; + parina-ipad = { address = "10.3.0.33"; hostname = "parina-ipad.${domain}"; }; + kclvm = { address = "10.3.0.34"; hostname = "kclvm.${domain}"; }; + framecca = { address = "10.3.0.35"; hostname = "framecca.${domain}"; }; + framecca_one = { address = "10.3.0.36"; hostname = "framecca_one.${domain}"; }; + framecca_two = { address = "10.3.0.37"; hostname = "framecca_two.${domain}"; }; + framecca_three = { address = "10.3.0.38"; hostname = "framecca_three.${domain}"; }; + framecca_four = { address = "10.3.0.39"; hostname = "framecca_four.${domain}"; }; + }; + }; }; networking = { - extraHosts = '' - ${architect-wg} architect.devs.giugl.io - ${manduria-wg} manduria.devs.giugl.io - ${antonio-wg} antonio.devs.giugl.io - ${gbeast-wg} gbeast.devs.giugl.io - ${shield-wg} shield.devs.giugl.io - ${salvatore-wg} salvatore.devs.giugl.io - ${papa-wg} papa.devs.giugl.io - ${defy-wg} defy.devs.giugl.io - ${germano-wg} germano.devs.giugl.io - ${tommy-wg} tommy.devs.giugl.io - ${alain-wg} alain.devs.giugl.io - ${dima-wg} dima.devs.giugl.io - ${mikey-wg} mikey.devs.giugl.io - ${andrew-wg} andrew.devs.giugl.io - ${mikeylaptop-wg} mikeylaptop.devs.giugl.io - ${frznn-wg} frznn.devs.giugl.io - ${ludo-wg} ludo.devs.giugl.io - ${parina-wg} parina.devs.giugl.io - ${parina-ipad-wg} parinaipad.devs.giugl.io - ${nilo-wg} nilo.devs.giugl.io - ${kclvm-wg} kclvm.devs.giugl.io - ${framecca-wg} framecca.devs.giugl.io - ''; + extraHosts = generateDeviceStrings config.architect.networks.wireguard.devices; wireguard = { - interfaces.${vpn-if} = { + interfaces.${config.architect.networks.wireguard.interface} = { inherit listenPort; - ips = [ "10.3.0.1/24" ]; + ips = [ "${config.architect.networks.wireguard.devices.architect.address}/24" ]; privateKeyFile = "/secrets/wireguard/server.key"; peers = [ - { - # Manduria - allowedIPs = [ manduria-wg ]; - publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400="; - } - { # Antonio - allowedIPs = [ antonio-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "antonio") ]; publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc="; } { # GBEAST - allowedIPs = [ gbeast-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "gbeast") ]; publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI="; } { # shield - allowedIPs = [ shield-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "shield") ]; publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs="; } { # salvatore - allowedIPs = [ salvatore-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "salvatore") ]; publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs="; } { # papa - allowedIPs = [ papa-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "papa") ]; publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA="; } { # defy - allowedIPs = [ defy-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "defy") ]; publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4="; } { # germano - allowedIPs = [ germano-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "germano") ]; publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw="; } { # flavio - allowedIPs = [ flavio-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "flavio") ]; publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg="; } - { - # tommy - allowedIPs = [ tommy-wg ]; - publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo="; - } - { # alain - allowedIPs = [ alain-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "alain") ]; publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno="; } { # dima - allowedIPs = [ dima-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "dima") ]; publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0="; } { # mikey - allowedIPs = [ mikey-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "mikey") ]; publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI="; } { # andrew - allowedIPs = [ andrew-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "andrew") ]; publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM="; } { # mikey laptop - allowedIPs = [ mikeylaptop-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ]; publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk="; } { # andrew desktop - allowedIPs = [ andrewdesktop-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ]; publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI="; } { # laptop desktop - allowedIPs = [ jacopo-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "jacopo") ]; publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0="; } { # frznn - allowedIPs = [ frznn-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "frznn") ]; publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o="; } { # ludo - allowedIPs = [ ludo-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "ludo") ]; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; } { # parina - allowedIPs = [ parina-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "parina") ]; publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; } { # nilo - allowedIPs = [ nilo-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "nilo") ]; publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0="; } { # parina ipad - allowedIPs = [ parina-ipad-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ]; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; } { # kcl vm - allowedIPs = [ kclvm-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "kclvm") ]; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; } { - allowedIPs = [ framecca-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca") ]; publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk="; } { - allowedIPs = [ framecca_one-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ]; publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs="; } - + { - allowedIPs = [ framecca_two-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ]; publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM="; } { - allowedIPs = [ framecca_three-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ]; publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs="; } { - allowedIPs = [ framecca_four-wg ]; + allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ]; publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc="; } ]; diff --git a/lib/host.nix b/lib/host.nix index a6f5105..816eede 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -27,21 +27,20 @@ modules = [ { - imports = users_mod ++ roles_mod ++ add_imports ++ [ + imports = users_mod ++ + roles_mod ++ + add_imports ++ [ (mkSysRole "common") (mkSysRole "acme") + (mkUser { name = "root"; roles = [ ]; }) ]; home-manager = { - users.root.imports = [ (mkHomeRole "common") ]; extraSpecialArgs.unstablePkgs = unstablePkgs; useGlobalPkgs = true; }; - system.stateVersion = "22.11"; - - environment.shells = [ pkgs.zsh ]; - users.defaultUserShell = pkgs.zsh; + system.stateVersion = "23.05"; } home-manager.nixosModules.home-manager diff --git a/lib/user.nix b/lib/user.nix index 5d4f62f..16382ee 100644 --- a/lib/user.nix +++ b/lib/user.nix @@ -6,20 +6,26 @@ roles_mod = (map (r: mkHomeRole r) roles); in { - users.groups.plugdev = { }; - fileSystems."/home/${name}/Downloads" = { device = "tmpfs"; fsType = "tmpfs"; options = [ "size=3G" ]; }; - users.users.${name} = { - isNormalUser = true; - extraGroups = [ "wheel" "plugdev" ]; + users = { + users.${name} = { + isNormalUser = name != "root"; + extraGroups = [ "wheel" "plugdev" ]; + shell = pkgs.zsh; + }; }; - home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod; + programs.zsh.enable = true; + + home-manager.users.${name}.imports = [ + (mkHomeRole "common") + (mkHomeRole "zsh") + ] ++ roles_mod; }; mkHMUser = { name, roles ? [ ] }: diff --git a/roles/acme.nix b/roles/acme.nix index d23825a..bd22485 100644 --- a/roles/acme.nix +++ b/roles/acme.nix @@ -1,10 +1,10 @@ -{ ... }: +{ options, lib, config, ... }: { - security.acme = { + config.security.acme = { acceptTerms = true; defaults = { - email = "sysadmin@giugl.io"; + email = "letsencrypt@depasquale.giugl.io"; }; }; } diff --git a/roles/common.nix b/roles/common.nix index ccfe52a..1987fad 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,7 +1,9 @@ { config, pkgs, lib, ... }: { - boot.tmpOnTmpfs = true; + boot.tmp = { + useTmpfs = true; + }; console = { keyMap = "us"; @@ -41,7 +43,6 @@ glances tcpdump restic - neovim tmux parted unzip @@ -50,5 +51,6 @@ nmap ripgrep jq + helix ]; } diff --git a/roles/home/common.nix b/roles/home/common.nix index 8b5128d..d19a65a 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -11,9 +11,10 @@ home-manager ripgrep ydiff + nix-index ] ++ lib.optional (!stdenv.isDarwin) pastebinit; - stateVersion = "22.11"; + stateVersion = "23.05"; }; } diff --git a/roles/home/helix.nix b/roles/home/helix.nix index b305f77..c2d0772 100644 --- a/roles/home/helix.nix +++ b/roles/home/helix.nix @@ -118,7 +118,6 @@ nodePackages.vscode-langservers-extracted nodePackages.typescript nodePackages.svelte-language-server - swiProlog nixpkgs-fmt ]; }; diff --git a/roles/home/zsh.nix b/roles/home/zsh.nix index 60cadbe..2cf25fa 100644 --- a/roles/home/zsh.nix +++ b/roles/home/zsh.nix @@ -14,6 +14,8 @@ initExtra = '' any-nix-shell zsh --info-right | source /dev/stdin + source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh ''; }; } +